Requirements

User and Roles

CmPersonAndRole

  • Employee
  • DevOps
  • Config Manager

Base

  • System components (like httpd) should be installable and configurable by configuration data.
  • DevOps should be able to install System Components by configuring as least configuration as possible.

Configuration

Validation

  • req0090 CM System validates configuration ahead of applying.

Dimension Multitenancy

  • req0184 Multi Tenant configuration
    • Multi Tenant configuration can be handled separated per tenant

Configuration, Defaults and Overwrite-Order

  • req0049 CM System provides Configurations Override Hierarchy (NonFunctional).
    1. CM System overwrites (change a value or delete) on level of single property.
    2. Configuration overwrite is resolved in the following order (top available config overwrites later):
      1. tenant / instance config
      2. tenant / server config
      3. tenant / default config
      4. module / nesting module default config
      5. module / nested module default config
    3. The following dimensions are used for resolfing overwrite:
      1. Tenant Configuration: With the following properties
        1. Tenant Configuration can be authorized discretely.
        2. Config Manager can use tenant defaults
        3. Config Manager can use server config
        4. Config Manager can use instance config
      2. Module Default Configuration: With the following properties
        1. Each module has to provide a useful default configuration
        2. Modules can overwrite default config of nested modules.

Statemanagement & Version

  • State should be stored on a defined place
  • req0091 CM System reads version of already applied configurations from target system.
  • req0092 CM System writes version of currently applied configuration to target system.

Runtime

Distribution

req0182

  • Configuration Distribution
    • System pushes configuration from a central system to nodes.
    • Configuration receiver has the following prerequisites:
      • Running SSH server
      • Credentials known by configuration management system
      • Bash is available.
    • System delivers only the node specific configuration to target nodes. Other nodes security relevant stuff (like SSL keys, credentials, configuration informations) stays central.
    • Configuration for developer client nodes should be pulled from the configuration management repository. Developers should be able to apply their own configuration of their developer clients themselves.

System Adapters

httpd / WebServer

Basic Functionality

  • req0032 System configures the ListeningPorts
  • req0031 System configures the central security-settings for production grade environments.
  • req0030 System configures logging formats.
  • req0037 MaxClients, Upload sizes are configurable
  • req0033 System install & configures modules.
    • Supportet modules are:
      • modGnutls
      • modjk
      • proxy
      • rewrite

VHost

  • req0035 Redirect http-> https
    • Module provides for each vhost a http and a https configuration. The http configuration redirects all requests to https.
  • req0034 VHost is NameBased or IP/Port-Based
  • req0036 Document Root is configurable

  • req0039 Module supports multi-tier maintainance page

  • req0040 Module supports Googles site ownership validation

    • The Admin configures google validation id.
    • In the configuration phase, the Module
      • generates an static html file for the given id,
      • considers the static id on all supported modules (mod_jk, mod_proxy, authenticaton)

Module specific Configuratons

  • req0038 System configure GnuTls module for VHost
    • Config Manager configures the vhosts certificates
    • Sytem provides a default cipher configuration passing SSLLabs tests
  • req0041 Module supports mod_jk
    • Admin can mount url-paths to worker-spec
    • Admin can unmount subpaths from worker-spec
    • Admin can configure worker-spec

Load Test

  • req0042 Logging fits the load test
  • req0043 Sysstat fits the load test

Convention Adapters

Module Liferay

Basic Functionality

Installation (phase :install)

  • The system installs a default liferay.

  • "Default Liferay" definition contains the following determinations:

    • webserver apache2.4 is doing the https
    • database mysql
    • document repository is filebased
    • application server: tomcat is used, liferay is deployed as war file.
    • simple backup: mysql & document repository are backed up.

  • The system installs liferay with the following layout:

    • hot deploy: /var/lib/liferay/deploy
    • document repository: /var/lib/liferay/data
    • prepare rollout: /var/lib/liferay/prepare-rollout
    • additional third party libs: /var/lib/liferay/lib
    • ext-properties: /var/lib/liferay/portal-ext.properties
    • support scripts: /var/lib/liferay
    • apache log: /var/log/apache2
    • tomcat log: /var/log/tomcat
    • mysql log: /var/log/mysql
Release Management (phase :prepare-rollout)

  • In order to prepare rollouts the system transport the new software version to the target system. Software versions consists of

    • the liferay main application
    • hooks, portlets, layouts and themes

  • the releases management scripts support two modes

    • hotdeployment (portlets, layouts and themes),
    • fulldeploy (main application)

  • The release management script removes application parts not belonging to the installed release.

Configuration (phase :configure)
  • The system configures the liferay installation in the following aspects
    • webserver: vhost, certificates, htaccess credentials, module configurations
    • application: portal-ext.properties

Managed Desktop Foundations

User Basics

  • req0082 User and Password
    • Password is initially set by CM system

VM interaction

  • req0070 VM Integration
    • Clippboard, Drag&Drop, Resolution Resizing, Shared Folders

Office Integration

  • req0071 Office Suite LibreOffice

  • req0074 VersionManagement

    • clone Plain Repositories

    • req0076 DesktopWiki

    • Solution

  • anacron
  • zim
  • git

Communication

Convenience

Managed IDE

Operating System

  • req0095 IDE is based on Xubuntu14.04.02

Development Basics

Java Development

  • req0077 Java
  • req0078 BuildManagement
    • Leiningen, Gradle, Ant
    • req0079 UML-Tools
  • req0080 Eclipse
    • WorkspaceMechanics
    • Saros
    • ProjectSpecific Configurations

Ops

Communication

Managed Office Desktop

Office Integration

  • req0094 Office Client is based on Kubuntu14.04.02
  • req0072 KMail for Mail, Calendar and Contacts

Credentials Security

Hard Crypto

  • req0227 DevOps can encrypt secrets associated for his identity.
  • req0228 DevOps has to provide passphrase and private key for runtime decryption.

Configuration Sources

  • req0226 DevOps can store all credentials in VCS, secrets are protected by crypto.
  • req0229 DevOps can store credentials in his user home in ~/.pallet/config.clj or in PALLET_HOME/config.clj
  • req0230 DevOps can use his ssh credentials from current execution-context instead of configured credentials.

System Security

  • req0231 System does not log secrets.
  • req0232 System does not expose secrets in jar files.
  • req0233 System expose secrets in target system only to admin & legitimated users.